{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Querying MDATP Data\n",
    "\n",
    "<h2 style=\"color: red; border: solid; padding: 5pt\">This version of the notebook is deprecated<br>\n",
    "Please see MicrosoftDefender.ipynb</h2>\n",
    "\n",
    "MSTICpy versions > 0.3.0\n",
    "\n",
    "### Description\n",
    "This Notebook provides details and examples of how to connect to and query data from the MDATP Advanced Hunting API.\n",
    "\n",
    "### Installation"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "%pip install --upgrade msticpy"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Authentication\n",
    "\n",
    "Authentication for the MDATP Advanced Hunting API is handled via an Azure AD application. Before you can authenticate you will need to register an application and provide it with the required permissions. MSTICpy supports Application Context authentication to the API.\n",
    "Detailed instructions on registering an application can be found here: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp\n",
    "\n",
    "Once created you will require the following details:\n",
    "* Application (client) ID\n",
    "* Directory (tenant) ID\n",
    "* Client secret\n",
    "\n",
    "These details can be found in the Azure Portal under Azure Active Directory > App Registrations.\n",
    "\n",
    "Once collected the easiest way to manage these details is via msticpyconfig.yaml - simply add them to the file in the following format:"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "'''\n",
    "MDATPApp:\n",
    "  Args:\n",
    "    clientId: \"{Application (client) ID}\"\n",
    "    clientSecret: \"{Client Secret}\"\n",
    "    tenantId: \"{Directory (tenant) ID}\"\n",
    "'''"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "You can then initialize a data provider for MDATP and connect the provider:"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "metadata": {
    "scrolled": true
   },
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Connected.\n"
     ]
    },
    {
     "data": {
      "text/plain": [
       "{'token_type': 'Bearer',\n",
       " 'expires_in': '3599',\n",
       " 'ext_expires_in': '3599',\n",
       " 'expires_on': '1578009447',\n",
       " 'not_before': '1578005547',\n",
       " 'resource': 'https://api.securitycenter.windows.com',\n",
       " 'access_token': None}"
      ]
     },
     "execution_count": 5,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "from msticpy.data.data_providers import QueryProvider\n",
    "mdatp_prov = QueryProvider('MDATP')\n",
    "#app_name is the value of the heading in msticpyconfig.yaml that the app details are stored under.\n",
    "mdatp_prov.connect(app_name=\"MDATPApp\")"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "Once connected the MDATP data connector functions in a similar manner to other data connectors. You can list queries:"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 9,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['MDATP.file_path',\n",
       " 'MDATP.host_alerts',\n",
       " 'MDATP.host_connections',\n",
       " 'MDATP.ip_alerts',\n",
       " 'MDATP.ip_connections',\n",
       " 'MDATP.list_alerts',\n",
       " 'MDATP.list_connections',\n",
       " 'MDATP.list_filehash',\n",
       " 'MDATP.list_files',\n",
       " 'MDATP.list_host_processes',\n",
       " 'MDATP.process_cmd_line',\n",
       " 'MDATP.process_creations',\n",
       " 'MDATP.process_paths',\n",
       " 'MDATP.protocol_connections',\n",
       " 'MDATP.sha1_alerts',\n",
       " 'MDATP.url_alerts',\n",
       " 'MDATP.url_connections',\n",
       " 'MDATP.user_files',\n",
       " 'MDATP.user_logons',\n",
       " 'MDATP.user_network',\n",
       " 'MDATP.user_processes',\n",
       " 'MDATPHunting.accessibility_persistence',\n",
       " 'MDATPHunting.av_sites',\n",
       " 'MDATPHunting.b64_pe',\n",
       " 'MDATPHunting.brute_force',\n",
       " 'MDATPHunting.cve_2018_1000006l',\n",
       " 'MDATPHunting.cve_2018_1111',\n",
       " 'MDATPHunting.cve_2018_4878',\n",
       " 'MDATPHunting.doc_with_link',\n",
       " 'MDATPHunting.dropbox_link',\n",
       " 'MDATPHunting.email_link',\n",
       " 'MDATPHunting.email_smartscreen',\n",
       " 'MDATPHunting.malware_recycle',\n",
       " 'MDATPHunting.network_scans',\n",
       " 'MDATPHunting.powershell_downloads',\n",
       " 'MDATPHunting.service_account_powershell',\n",
       " 'MDATPHunting.smartscreen_ignored',\n",
       " 'MDATPHunting.smb_discovery',\n",
       " 'MDATPHunting.tor',\n",
       " 'MDATPHunting.uncommon_powershell',\n",
       " 'MDATPHunting.user_enumeration']"
      ]
     },
     "execution_count": 9,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mdatp_prov.list_queries()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "Get details about avaliable queries:"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 20,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "Query:  list_connections\n",
      "Data source:  MDATP\n",
      "Retrieves list of network connections for a host\n",
      "\n",
      "Parameters\n",
      "----------\n",
      "add_query_items: str (optional)\n",
      "    Additional query clauses\n",
      "end: datetime (optional)\n",
      "    Query end time\n",
      "start: datetime (optional)\n",
      "    Query start time\n",
      "    (default value is: -30)\n",
      "table: str (optional)\n",
      "    Table name\n",
      "    (default value is: NetworkCommunicationEvents  )\n",
      "Query:\n",
      " {table} | where EventTime >= datetime({start}) | where EventTime <= datetime({end}) {add_query_items}\n"
     ]
    }
   ],
   "source": [
    "mdatp_prov.MDATP.list_alerts('?')"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "Execute queries with default parameters:"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 39,
   "metadata": {
    "scrolled": true
   },
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>AlertId</th>\n",
       "      <th>EventTime</th>\n",
       "      <th>MachineId</th>\n",
       "      <th>ComputerName</th>\n",
       "      <th>Severity</th>\n",
       "      <th>Category</th>\n",
       "      <th>Title</th>\n",
       "      <th>FileName</th>\n",
       "      <th>SHA1</th>\n",
       "      <th>RemoteUrl</th>\n",
       "      <th>RemoteIP</th>\n",
       "      <th>ReportId</th>\n",
       "      <th>Table</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <td>0</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-08T17:22:37.8742974Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>notepad.exe</td>\n",
       "      <td>b6d237154f2e528f0b503b58b025862d66b02b73</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>454</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>1</td>\n",
       "      <td>da637111470533220658_-1814166510</td>\n",
       "      <td>2019-12-05T12:34:34.7864124Z</td>\n",
       "      <td>1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739</td>\n",
       "      <td>olaa-win10pro-1607</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>044a0cf1f6bc478a7172bf207eef1e201a18ba02</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>4369</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>2</td>\n",
       "      <td>da637111470533220658_-1814166510</td>\n",
       "      <td>2019-12-05T12:34:34.7864124Z</td>\n",
       "      <td>1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739</td>\n",
       "      <td>olaa-win10pro-1607</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>99ae9c73e9bee6f9c76d6f4093a9882df06832cf</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>4369</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>3</td>\n",
       "      <td>da637111448595540767_-885088719</td>\n",
       "      <td>2019-12-05T12:11:25.5486226Z</td>\n",
       "      <td>499bdd5330f78dc82d0051c8d7a9eb9d69f88333</td>\n",
       "      <td>nestorw-win10pro-1803</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>1b3b40fbc889fd4c645cc12c85d0805ac36ba254</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>14968</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>4</td>\n",
       "      <td>da637111448595540767_-885088719</td>\n",
       "      <td>2019-12-05T12:11:25.5486226Z</td>\n",
       "      <td>499bdd5330f78dc82d0051c8d7a9eb9d69f88333</td>\n",
       "      <td>nestorw-win10pro-1803</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>3ce71813199abae99348f61f0caa34e2574f831c</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>14968</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>5</td>\n",
       "      <td>da637111835325717564_-1865655676</td>\n",
       "      <td>2019-12-05T16:05:46.4778106Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>36c5d12033b2eaf251bae61c00690ffb17fddc87</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>2376</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>6</td>\n",
       "      <td>da637111835325717564_-1865655676</td>\n",
       "      <td>2019-12-05T16:05:46.4778106Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>notepad.exe</td>\n",
       "      <td>d487580502354c61808c7180d1a336beb7ad4624</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>2376</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>7</td>\n",
       "      <td>da637111691253610692_623907060</td>\n",
       "      <td>2019-12-05T16:50:16.9477916Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>36c5d12033b2eaf251bae61c00690ffb17fddc87</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>915</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>8</td>\n",
       "      <td>da637111691253610692_623907060</td>\n",
       "      <td>2019-12-05T16:50:16.9477916Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>8dca9749cd48d286950e7a9fa1088c937cbccad4</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>915</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>9</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T16:56:18.6397738Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1190</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>10</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T16:56:18.6397738Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1190</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>11</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T16:56:18.6397738Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1190</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>12</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T16:56:18.6397738Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td>79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1190</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>13</td>\n",
       "      <td>da637111691251815824_2024877765</td>\n",
       "      <td>2019-12-05T16:56:18.6407635Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>Persistence</td>\n",
       "      <td>Anomaly detected in ASEP registry</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td>79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1187</td>\n",
       "      <td>RegistryEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>14</td>\n",
       "      <td>da637111691256543941_-1462732472</td>\n",
       "      <td>2019-12-05T16:56:18.6407635Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>Persistence</td>\n",
       "      <td>An uncommon file was created and added to a Ru...</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td>79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1187</td>\n",
       "      <td>RegistryEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>15</td>\n",
       "      <td>da637111691246094719_-1324223004</td>\n",
       "      <td>2019-12-05T16:56:18.6685765Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>EAF violation blocked by exploit protection</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1191</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>16</td>\n",
       "      <td>da637111618734194967_-707278866</td>\n",
       "      <td>2019-12-05T16:56:18.8702258Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Low</td>\n",
       "      <td>Malware</td>\n",
       "      <td>An active 'Artoelo' malware was detected</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1200</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>17</td>\n",
       "      <td>da637111691251004475_-451474344</td>\n",
       "      <td>2019-12-05T16:56:19.0725178Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Malware</td>\n",
       "      <td>'Artoelo' malware was detected</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td>79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1194</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>18</td>\n",
       "      <td>da637111691511319089_701653122</td>\n",
       "      <td>2019-12-05T17:01:20.0899859Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>SuspiciousActivity</td>\n",
       "      <td>A suspicious file was observed</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>36c5d12033b2eaf251bae61c00690ffb17fddc87</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1449</td>\n",
       "      <td>FileCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>19</td>\n",
       "      <td>da637111691521375847_1538423732</td>\n",
       "      <td>2019-12-05T17:01:20.0899859Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>Execution</td>\n",
       "      <td>Suspicious behavior by cmd.exe was observed</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>36c5d12033b2eaf251bae61c00690ffb17fddc87</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1449</td>\n",
       "      <td>FileCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>20</td>\n",
       "      <td>da637111691521375847_1538423732</td>\n",
       "      <td>2019-12-05T17:12:41.4195893Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>Execution</td>\n",
       "      <td>Suspicious behavior by cmd.exe was observed</td>\n",
       "      <td>WindowsDefenderAtpProvisioningService.exe</td>\n",
       "      <td>2f5a566429f0df02dd0dfb45be075531f332a887</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1960</td>\n",
       "      <td>FileCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>21</td>\n",
       "      <td>da637111691511319089_701653122</td>\n",
       "      <td>2019-12-05T17:12:41.4195893Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>SuspiciousActivity</td>\n",
       "      <td>A suspicious file was observed</td>\n",
       "      <td>WindowsDefenderAtpProvisioningService.exe</td>\n",
       "      <td>2f5a566429f0df02dd0dfb45be075531f332a887</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1960</td>\n",
       "      <td>FileCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>22</td>\n",
       "      <td>da637111691521375847_1538423732</td>\n",
       "      <td>2019-12-05T17:12:41.4195893Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>Execution</td>\n",
       "      <td>Suspicious behavior by cmd.exe was observed</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1960</td>\n",
       "      <td>FileCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>23</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T17:12:43.2754844Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td>79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1972</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>24</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T17:12:43.2754844Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1972</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>25</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T17:12:43.2754844Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1972</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>26</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T17:12:43.2754844Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1972</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>27</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T17:12:43.2754844Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1972</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>28</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T17:12:43.2754844Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td>79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1972</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>29</td>\n",
       "      <td>da637111691251815824_2024877765</td>\n",
       "      <td>2019-12-05T17:12:43.2822557Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>Persistence</td>\n",
       "      <td>Anomaly detected in ASEP registry</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td>79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1970</td>\n",
       "      <td>RegistryEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>30</td>\n",
       "      <td>da637111691256543941_-1462732472</td>\n",
       "      <td>2019-12-05T17:12:43.2822557Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>Persistence</td>\n",
       "      <td>An uncommon file was created and added to a Ru...</td>\n",
       "      <td>WinATP-Intro-Backdoor‮gpj.exe</td>\n",
       "      <td>79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1970</td>\n",
       "      <td>RegistryEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>31</td>\n",
       "      <td>da637111536085551266_1012263407</td>\n",
       "      <td>2019-12-05T14:38:34.3208724Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>6cbce4a295c163791b60fc23d285e6d84f28ee4c</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>45</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>32</td>\n",
       "      <td>da637111536085551266_1012263407</td>\n",
       "      <td>2019-12-05T14:38:34.3208724Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>8c5437cd76a89ec983e3b364e219944da3dab464</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>45</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>33</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-05T15:06:20.3372768Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>6cbce4a295c163791b60fc23d285e6d84f28ee4c</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>256</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>34</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-05T15:06:20.3372768Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>notepad.exe</td>\n",
       "      <td>b6d237154f2e528f0b503b58b025862d66b02b73</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>256</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>35</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-05T15:22:44.3072402Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>6cbce4a295c163791b60fc23d285e6d84f28ee4c</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>368</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>36</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-05T15:22:44.3072402Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>notepad.exe</td>\n",
       "      <td>b6d237154f2e528f0b503b58b025862d66b02b73</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>368</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>37</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-05T16:02:02.3857966Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>6cbce4a295c163791b60fc23d285e6d84f28ee4c</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>162</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>38</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-05T16:02:02.3857966Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>notepad.exe</td>\n",
       "      <td>b6d237154f2e528f0b503b58b025862d66b02b73</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>162</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>39</td>\n",
       "      <td>da637111536085551266_1012263407</td>\n",
       "      <td>2019-12-08T15:59:28.1181531Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>8c5437cd76a89ec983e3b364e219944da3dab464</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>130</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>40</td>\n",
       "      <td>da637111536085551266_1012263407</td>\n",
       "      <td>2019-12-08T15:59:28.1181531Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>6cbce4a295c163791b60fc23d285e6d84f28ee4c</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>130</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>41</td>\n",
       "      <td>da637111536085551266_1012263407</td>\n",
       "      <td>2019-12-08T17:11:14.931633Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>8c5437cd76a89ec983e3b364e219944da3dab464</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>137</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>42</td>\n",
       "      <td>da637111536085551266_1012263407</td>\n",
       "      <td>2019-12-08T17:11:14.931633Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>6cbce4a295c163791b60fc23d285e6d84f28ee4c</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>137</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>43</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-08T17:22:37.8742974Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>6cbce4a295c163791b60fc23d285e6d84f28ee4c</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>454</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                             AlertId                     EventTime  \\\n",
       "0    da637111553314888493_-215032980  2019-12-08T17:22:37.8742974Z   \n",
       "1   da637111470533220658_-1814166510  2019-12-05T12:34:34.7864124Z   \n",
       "2   da637111470533220658_-1814166510  2019-12-05T12:34:34.7864124Z   \n",
       "3    da637111448595540767_-885088719  2019-12-05T12:11:25.5486226Z   \n",
       "4    da637111448595540767_-885088719  2019-12-05T12:11:25.5486226Z   \n",
       "5   da637111835325717564_-1865655676  2019-12-05T16:05:46.4778106Z   \n",
       "6   da637111835325717564_-1865655676  2019-12-05T16:05:46.4778106Z   \n",
       "7     da637111691253610692_623907060  2019-12-05T16:50:16.9477916Z   \n",
       "8     da637111691253610692_623907060  2019-12-05T16:50:16.9477916Z   \n",
       "9   da637111691236503999_-1316647445  2019-12-05T16:56:18.6397738Z   \n",
       "10  da637111691236503999_-1316647445  2019-12-05T16:56:18.6397738Z   \n",
       "11  da637111691236503999_-1316647445  2019-12-05T16:56:18.6397738Z   \n",
       "12  da637111691236503999_-1316647445  2019-12-05T16:56:18.6397738Z   \n",
       "13   da637111691251815824_2024877765  2019-12-05T16:56:18.6407635Z   \n",
       "14  da637111691256543941_-1462732472  2019-12-05T16:56:18.6407635Z   \n",
       "15  da637111691246094719_-1324223004  2019-12-05T16:56:18.6685765Z   \n",
       "16   da637111618734194967_-707278866  2019-12-05T16:56:18.8702258Z   \n",
       "17   da637111691251004475_-451474344  2019-12-05T16:56:19.0725178Z   \n",
       "18    da637111691511319089_701653122  2019-12-05T17:01:20.0899859Z   \n",
       "19   da637111691521375847_1538423732  2019-12-05T17:01:20.0899859Z   \n",
       "20   da637111691521375847_1538423732  2019-12-05T17:12:41.4195893Z   \n",
       "21    da637111691511319089_701653122  2019-12-05T17:12:41.4195893Z   \n",
       "22   da637111691521375847_1538423732  2019-12-05T17:12:41.4195893Z   \n",
       "23  da637111691236503999_-1316647445  2019-12-05T17:12:43.2754844Z   \n",
       "24  da637111691236503999_-1316647445  2019-12-05T17:12:43.2754844Z   \n",
       "25  da637111691236503999_-1316647445  2019-12-05T17:12:43.2754844Z   \n",
       "26  da637111691236503999_-1316647445  2019-12-05T17:12:43.2754844Z   \n",
       "27  da637111691236503999_-1316647445  2019-12-05T17:12:43.2754844Z   \n",
       "28  da637111691236503999_-1316647445  2019-12-05T17:12:43.2754844Z   \n",
       "29   da637111691251815824_2024877765  2019-12-05T17:12:43.2822557Z   \n",
       "30  da637111691256543941_-1462732472  2019-12-05T17:12:43.2822557Z   \n",
       "31   da637111536085551266_1012263407  2019-12-05T14:38:34.3208724Z   \n",
       "32   da637111536085551266_1012263407  2019-12-05T14:38:34.3208724Z   \n",
       "33   da637111553314888493_-215032980  2019-12-05T15:06:20.3372768Z   \n",
       "34   da637111553314888493_-215032980  2019-12-05T15:06:20.3372768Z   \n",
       "35   da637111553314888493_-215032980  2019-12-05T15:22:44.3072402Z   \n",
       "36   da637111553314888493_-215032980  2019-12-05T15:22:44.3072402Z   \n",
       "37   da637111553314888493_-215032980  2019-12-05T16:02:02.3857966Z   \n",
       "38   da637111553314888493_-215032980  2019-12-05T16:02:02.3857966Z   \n",
       "39   da637111536085551266_1012263407  2019-12-08T15:59:28.1181531Z   \n",
       "40   da637111536085551266_1012263407  2019-12-08T15:59:28.1181531Z   \n",
       "41   da637111536085551266_1012263407   2019-12-08T17:11:14.931633Z   \n",
       "42   da637111536085551266_1012263407   2019-12-08T17:11:14.931633Z   \n",
       "43   da637111553314888493_-215032980  2019-12-08T17:22:37.8742974Z   \n",
       "\n",
       "                                   MachineId             ComputerName  \\\n",
       "0   f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "1   1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739       olaa-win10pro-1607   \n",
       "2   1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739       olaa-win10pro-1607   \n",
       "3   499bdd5330f78dc82d0051c8d7a9eb9d69f88333    nestorw-win10pro-1803   \n",
       "4   499bdd5330f78dc82d0051c8d7a9eb9d69f88333    nestorw-win10pro-1803   \n",
       "5   be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "6   be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "7   be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "8   be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "9   be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "10  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "11  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "12  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "13  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "14  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "15  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "16  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "17  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "18  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "19  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "20  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "21  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "22  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "23  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "24  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "25  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "26  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "27  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "28  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "29  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "30  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "31  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "32  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "33  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "34  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "35  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "36  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "37  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "38  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "39  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "40  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "41  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "42  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "43  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "\n",
       "         Severity            Category  \\\n",
       "0          Medium      DefenseEvasion   \n",
       "1   Informational           Execution   \n",
       "2   Informational           Execution   \n",
       "3   Informational           Execution   \n",
       "4   Informational           Execution   \n",
       "5          Medium      DefenseEvasion   \n",
       "6          Medium      DefenseEvasion   \n",
       "7   Informational           Execution   \n",
       "8   Informational           Execution   \n",
       "9          Medium      DefenseEvasion   \n",
       "10         Medium      DefenseEvasion   \n",
       "11         Medium      DefenseEvasion   \n",
       "12         Medium      DefenseEvasion   \n",
       "13         Medium         Persistence   \n",
       "14         Medium         Persistence   \n",
       "15  Informational           Execution   \n",
       "16            Low             Malware   \n",
       "17  Informational             Malware   \n",
       "18         Medium  SuspiciousActivity   \n",
       "19         Medium           Execution   \n",
       "20         Medium           Execution   \n",
       "21         Medium  SuspiciousActivity   \n",
       "22         Medium           Execution   \n",
       "23         Medium      DefenseEvasion   \n",
       "24         Medium      DefenseEvasion   \n",
       "25         Medium      DefenseEvasion   \n",
       "26         Medium      DefenseEvasion   \n",
       "27         Medium      DefenseEvasion   \n",
       "28         Medium      DefenseEvasion   \n",
       "29         Medium         Persistence   \n",
       "30         Medium         Persistence   \n",
       "31  Informational           Execution   \n",
       "32  Informational           Execution   \n",
       "33         Medium      DefenseEvasion   \n",
       "34         Medium      DefenseEvasion   \n",
       "35         Medium      DefenseEvasion   \n",
       "36         Medium      DefenseEvasion   \n",
       "37         Medium      DefenseEvasion   \n",
       "38         Medium      DefenseEvasion   \n",
       "39  Informational           Execution   \n",
       "40  Informational           Execution   \n",
       "41  Informational           Execution   \n",
       "42  Informational           Execution   \n",
       "43         Medium      DefenseEvasion   \n",
       "\n",
       "                                                Title  \\\n",
       "0               Suspicious process injection observed   \n",
       "1      [Test Alert] Suspicious Powershell commandline   \n",
       "2      [Test Alert] Suspicious Powershell commandline   \n",
       "3      [Test Alert] Suspicious Powershell commandline   \n",
       "4      [Test Alert] Suspicious Powershell commandline   \n",
       "5               Suspicious process injection observed   \n",
       "6               Suspicious process injection observed   \n",
       "7      [Test Alert] Suspicious Powershell commandline   \n",
       "8      [Test Alert] Suspicious Powershell commandline   \n",
       "9               Suspicious process injection observed   \n",
       "10              Suspicious process injection observed   \n",
       "11              Suspicious process injection observed   \n",
       "12              Suspicious process injection observed   \n",
       "13                  Anomaly detected in ASEP registry   \n",
       "14  An uncommon file was created and added to a Ru...   \n",
       "15        EAF violation blocked by exploit protection   \n",
       "16           An active 'Artoelo' malware was detected   \n",
       "17                     'Artoelo' malware was detected   \n",
       "18                     A suspicious file was observed   \n",
       "19        Suspicious behavior by cmd.exe was observed   \n",
       "20        Suspicious behavior by cmd.exe was observed   \n",
       "21                     A suspicious file was observed   \n",
       "22        Suspicious behavior by cmd.exe was observed   \n",
       "23              Suspicious process injection observed   \n",
       "24              Suspicious process injection observed   \n",
       "25              Suspicious process injection observed   \n",
       "26              Suspicious process injection observed   \n",
       "27              Suspicious process injection observed   \n",
       "28              Suspicious process injection observed   \n",
       "29                  Anomaly detected in ASEP registry   \n",
       "30  An uncommon file was created and added to a Ru...   \n",
       "31     [Test Alert] Suspicious Powershell commandline   \n",
       "32     [Test Alert] Suspicious Powershell commandline   \n",
       "33              Suspicious process injection observed   \n",
       "34              Suspicious process injection observed   \n",
       "35              Suspicious process injection observed   \n",
       "36              Suspicious process injection observed   \n",
       "37              Suspicious process injection observed   \n",
       "38              Suspicious process injection observed   \n",
       "39     [Test Alert] Suspicious Powershell commandline   \n",
       "40     [Test Alert] Suspicious Powershell commandline   \n",
       "41     [Test Alert] Suspicious Powershell commandline   \n",
       "42     [Test Alert] Suspicious Powershell commandline   \n",
       "43              Suspicious process injection observed   \n",
       "\n",
       "                                     FileName  \\\n",
       "0                                 notepad.exe   \n",
       "1                              powershell.exe   \n",
       "2                                     cmd.exe   \n",
       "3                              powershell.exe   \n",
       "4                                     cmd.exe   \n",
       "5                              powershell.exe   \n",
       "6                                 notepad.exe   \n",
       "7                              powershell.exe   \n",
       "8                                     cmd.exe   \n",
       "9                           RuntimeBroker.exe   \n",
       "10                          RuntimeBroker.exe   \n",
       "11                          RuntimeBroker.exe   \n",
       "12              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "13              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "14              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "15                          RuntimeBroker.exe   \n",
       "16              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "17              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "18                             powershell.exe   \n",
       "19                             powershell.exe   \n",
       "20  WindowsDefenderAtpProvisioningService.exe   \n",
       "21  WindowsDefenderAtpProvisioningService.exe   \n",
       "22                                    cmd.exe   \n",
       "23              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "24                          RuntimeBroker.exe   \n",
       "25                          RuntimeBroker.exe   \n",
       "26                          RuntimeBroker.exe   \n",
       "27                          RuntimeBroker.exe   \n",
       "28              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "29              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "30              WinATP-Intro-Backdoor‮gpj.exe   \n",
       "31                             powershell.exe   \n",
       "32                                    cmd.exe   \n",
       "33                             powershell.exe   \n",
       "34                                notepad.exe   \n",
       "35                             powershell.exe   \n",
       "36                                notepad.exe   \n",
       "37                             powershell.exe   \n",
       "38                                notepad.exe   \n",
       "39                                    cmd.exe   \n",
       "40                             powershell.exe   \n",
       "41                                    cmd.exe   \n",
       "42                             powershell.exe   \n",
       "43                             powershell.exe   \n",
       "\n",
       "                                        SHA1 RemoteUrl RemoteIP  ReportId  \\\n",
       "0   b6d237154f2e528f0b503b58b025862d66b02b73                          454   \n",
       "1   044a0cf1f6bc478a7172bf207eef1e201a18ba02                         4369   \n",
       "2   99ae9c73e9bee6f9c76d6f4093a9882df06832cf                         4369   \n",
       "3   1b3b40fbc889fd4c645cc12c85d0805ac36ba254                        14968   \n",
       "4   3ce71813199abae99348f61f0caa34e2574f831c                        14968   \n",
       "5   36c5d12033b2eaf251bae61c00690ffb17fddc87                         2376   \n",
       "6   d487580502354c61808c7180d1a336beb7ad4624                         2376   \n",
       "7   36c5d12033b2eaf251bae61c00690ffb17fddc87                          915   \n",
       "8   8dca9749cd48d286950e7a9fa1088c937cbccad4                          915   \n",
       "9   7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1190   \n",
       "10  7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1190   \n",
       "11  7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1190   \n",
       "12  79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc                         1190   \n",
       "13  79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc                         1187   \n",
       "14  79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc                         1187   \n",
       "15  7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1191   \n",
       "16                                                                   1200   \n",
       "17  79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc                         1194   \n",
       "18  36c5d12033b2eaf251bae61c00690ffb17fddc87                         1449   \n",
       "19  36c5d12033b2eaf251bae61c00690ffb17fddc87                         1449   \n",
       "20  2f5a566429f0df02dd0dfb45be075531f332a887                         1960   \n",
       "21  2f5a566429f0df02dd0dfb45be075531f332a887                         1960   \n",
       "22                                                                   1960   \n",
       "23  79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc                         1972   \n",
       "24  7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1972   \n",
       "25  7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1972   \n",
       "26  7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1972   \n",
       "27  7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1972   \n",
       "28  79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc                         1972   \n",
       "29  79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc                         1970   \n",
       "30  79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc                         1970   \n",
       "31  6cbce4a295c163791b60fc23d285e6d84f28ee4c                           45   \n",
       "32  8c5437cd76a89ec983e3b364e219944da3dab464                           45   \n",
       "33  6cbce4a295c163791b60fc23d285e6d84f28ee4c                          256   \n",
       "34  b6d237154f2e528f0b503b58b025862d66b02b73                          256   \n",
       "35  6cbce4a295c163791b60fc23d285e6d84f28ee4c                          368   \n",
       "36  b6d237154f2e528f0b503b58b025862d66b02b73                          368   \n",
       "37  6cbce4a295c163791b60fc23d285e6d84f28ee4c                          162   \n",
       "38  b6d237154f2e528f0b503b58b025862d66b02b73                          162   \n",
       "39  8c5437cd76a89ec983e3b364e219944da3dab464                          130   \n",
       "40  6cbce4a295c163791b60fc23d285e6d84f28ee4c                          130   \n",
       "41  8c5437cd76a89ec983e3b364e219944da3dab464                          137   \n",
       "42  6cbce4a295c163791b60fc23d285e6d84f28ee4c                          137   \n",
       "43  6cbce4a295c163791b60fc23d285e6d84f28ee4c                          454   \n",
       "\n",
       "                    Table  \n",
       "0              MiscEvents  \n",
       "1   ProcessCreationEvents  \n",
       "2   ProcessCreationEvents  \n",
       "3   ProcessCreationEvents  \n",
       "4   ProcessCreationEvents  \n",
       "5              MiscEvents  \n",
       "6              MiscEvents  \n",
       "7   ProcessCreationEvents  \n",
       "8   ProcessCreationEvents  \n",
       "9              MiscEvents  \n",
       "10             MiscEvents  \n",
       "11             MiscEvents  \n",
       "12             MiscEvents  \n",
       "13         RegistryEvents  \n",
       "14         RegistryEvents  \n",
       "15             MiscEvents  \n",
       "16             MiscEvents  \n",
       "17             MiscEvents  \n",
       "18     FileCreationEvents  \n",
       "19     FileCreationEvents  \n",
       "20     FileCreationEvents  \n",
       "21     FileCreationEvents  \n",
       "22     FileCreationEvents  \n",
       "23             MiscEvents  \n",
       "24             MiscEvents  \n",
       "25             MiscEvents  \n",
       "26             MiscEvents  \n",
       "27             MiscEvents  \n",
       "28             MiscEvents  \n",
       "29         RegistryEvents  \n",
       "30         RegistryEvents  \n",
       "31  ProcessCreationEvents  \n",
       "32  ProcessCreationEvents  \n",
       "33             MiscEvents  \n",
       "34             MiscEvents  \n",
       "35             MiscEvents  \n",
       "36             MiscEvents  \n",
       "37             MiscEvents  \n",
       "38             MiscEvents  \n",
       "39  ProcessCreationEvents  \n",
       "40  ProcessCreationEvents  \n",
       "41  ProcessCreationEvents  \n",
       "42  ProcessCreationEvents  \n",
       "43             MiscEvents  "
      ]
     },
     "execution_count": 39,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mdatp_prov.MDATP.list_alerts()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "Execute queries with custom parameters:"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 37,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>Severity</th>\n",
       "      <th>count_</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <td>0</td>\n",
       "      <td>Medium</td>\n",
       "      <td>29</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>1</td>\n",
       "      <td>Informational</td>\n",
       "      <td>14</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>2</td>\n",
       "      <td>Low</td>\n",
       "      <td>1</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "        Severity  count_\n",
       "0         Medium      29\n",
       "1  Informational      14\n",
       "2            Low       1"
      ]
     },
     "execution_count": 37,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mdatp_prov.MDATP.list_alerts(start=\"-30\", add_query_items=\"| summarize count() by Severity\")"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "Print a fully constructed query for debug purposes:"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 40,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "' AlertEvents | where EventTime >= datetime(2019-12-03T23:24:40.794583Z) | where EventTime <= datetime(2020-01-02T23:24:40.794583Z) | summarize count() by Severity'"
      ]
     },
     "execution_count": 40,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "mdatp_prov.MDATP.list_alerts(\"print\", start=\"-30\", add_query_items=\"| summarize count() by Severity\")"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "Execute a custom query:"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 43,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>AlertId</th>\n",
       "      <th>EventTime</th>\n",
       "      <th>MachineId</th>\n",
       "      <th>ComputerName</th>\n",
       "      <th>Severity</th>\n",
       "      <th>Category</th>\n",
       "      <th>Title</th>\n",
       "      <th>FileName</th>\n",
       "      <th>SHA1</th>\n",
       "      <th>RemoteUrl</th>\n",
       "      <th>RemoteIP</th>\n",
       "      <th>ReportId</th>\n",
       "      <th>Table</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <td>0</td>\n",
       "      <td>da637111553314888493_-215032980</td>\n",
       "      <td>2019-12-08T17:22:37.8742974Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>notepad.exe</td>\n",
       "      <td>b6d237154f2e528f0b503b58b025862d66b02b73</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>454</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>1</td>\n",
       "      <td>da637111536085551266_1012263407</td>\n",
       "      <td>2019-12-08T17:11:14.931633Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>8c5437cd76a89ec983e3b364e219944da3dab464</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>137</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>2</td>\n",
       "      <td>da637111470533220658_-1814166510</td>\n",
       "      <td>2019-12-05T12:34:34.7864124Z</td>\n",
       "      <td>1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739</td>\n",
       "      <td>olaa-win10pro-1607</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>99ae9c73e9bee6f9c76d6f4093a9882df06832cf</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>4369</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>3</td>\n",
       "      <td>da637111448595540767_-885088719</td>\n",
       "      <td>2019-12-05T12:11:25.5486226Z</td>\n",
       "      <td>499bdd5330f78dc82d0051c8d7a9eb9d69f88333</td>\n",
       "      <td>nestorw-win10pro-1803</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>1b3b40fbc889fd4c645cc12c85d0805ac36ba254</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>14968</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>4</td>\n",
       "      <td>da637111691236503999_-1316647445</td>\n",
       "      <td>2019-12-05T16:56:18.6397738Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>RuntimeBroker.exe</td>\n",
       "      <td>7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>1190</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>5</td>\n",
       "      <td>da637111835325717564_-1865655676</td>\n",
       "      <td>2019-12-05T16:05:46.4778106Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>36c5d12033b2eaf251bae61c00690ffb17fddc87</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>2376</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>6</td>\n",
       "      <td>da637111835325717564_-1865655676</td>\n",
       "      <td>2019-12-05T16:05:46.4778106Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Medium</td>\n",
       "      <td>DefenseEvasion</td>\n",
       "      <td>Suspicious process injection observed</td>\n",
       "      <td>notepad.exe</td>\n",
       "      <td>d487580502354c61808c7180d1a336beb7ad4624</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>2376</td>\n",
       "      <td>MiscEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>7</td>\n",
       "      <td>da637111691253610692_623907060</td>\n",
       "      <td>2019-12-05T16:50:16.9477916Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>36c5d12033b2eaf251bae61c00690ffb17fddc87</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>915</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>8</td>\n",
       "      <td>da637111691253610692_623907060</td>\n",
       "      <td>2019-12-05T16:50:16.9477916Z</td>\n",
       "      <td>be333ec5312b6aaf4936cc33784577857108bc3a</td>\n",
       "      <td>arifb-win10edun-1903</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>8dca9749cd48d286950e7a9fa1088c937cbccad4</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>915</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <td>9</td>\n",
       "      <td>da637111536085551266_1012263407</td>\n",
       "      <td>2019-12-08T15:59:28.1181531Z</td>\n",
       "      <td>f17cf15efe963a9810a0ad1c1842db543bba8775</td>\n",
       "      <td>pradeepg-win10entn-1809</td>\n",
       "      <td>Informational</td>\n",
       "      <td>Execution</td>\n",
       "      <td>[Test Alert] Suspicious Powershell commandline</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>8c5437cd76a89ec983e3b364e219944da3dab464</td>\n",
       "      <td></td>\n",
       "      <td></td>\n",
       "      <td>130</td>\n",
       "      <td>ProcessCreationEvents</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                            AlertId                     EventTime  \\\n",
       "0   da637111553314888493_-215032980  2019-12-08T17:22:37.8742974Z   \n",
       "1   da637111536085551266_1012263407   2019-12-08T17:11:14.931633Z   \n",
       "2  da637111470533220658_-1814166510  2019-12-05T12:34:34.7864124Z   \n",
       "3   da637111448595540767_-885088719  2019-12-05T12:11:25.5486226Z   \n",
       "4  da637111691236503999_-1316647445  2019-12-05T16:56:18.6397738Z   \n",
       "5  da637111835325717564_-1865655676  2019-12-05T16:05:46.4778106Z   \n",
       "6  da637111835325717564_-1865655676  2019-12-05T16:05:46.4778106Z   \n",
       "7    da637111691253610692_623907060  2019-12-05T16:50:16.9477916Z   \n",
       "8    da637111691253610692_623907060  2019-12-05T16:50:16.9477916Z   \n",
       "9   da637111536085551266_1012263407  2019-12-08T15:59:28.1181531Z   \n",
       "\n",
       "                                  MachineId             ComputerName  \\\n",
       "0  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "1  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "2  1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739       olaa-win10pro-1607   \n",
       "3  499bdd5330f78dc82d0051c8d7a9eb9d69f88333    nestorw-win10pro-1803   \n",
       "4  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "5  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "6  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "7  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "8  be333ec5312b6aaf4936cc33784577857108bc3a     arifb-win10edun-1903   \n",
       "9  f17cf15efe963a9810a0ad1c1842db543bba8775  pradeepg-win10entn-1809   \n",
       "\n",
       "        Severity        Category  \\\n",
       "0         Medium  DefenseEvasion   \n",
       "1  Informational       Execution   \n",
       "2  Informational       Execution   \n",
       "3  Informational       Execution   \n",
       "4         Medium  DefenseEvasion   \n",
       "5         Medium  DefenseEvasion   \n",
       "6         Medium  DefenseEvasion   \n",
       "7  Informational       Execution   \n",
       "8  Informational       Execution   \n",
       "9  Informational       Execution   \n",
       "\n",
       "                                            Title           FileName  \\\n",
       "0           Suspicious process injection observed        notepad.exe   \n",
       "1  [Test Alert] Suspicious Powershell commandline            cmd.exe   \n",
       "2  [Test Alert] Suspicious Powershell commandline            cmd.exe   \n",
       "3  [Test Alert] Suspicious Powershell commandline     powershell.exe   \n",
       "4           Suspicious process injection observed  RuntimeBroker.exe   \n",
       "5           Suspicious process injection observed     powershell.exe   \n",
       "6           Suspicious process injection observed        notepad.exe   \n",
       "7  [Test Alert] Suspicious Powershell commandline     powershell.exe   \n",
       "8  [Test Alert] Suspicious Powershell commandline            cmd.exe   \n",
       "9  [Test Alert] Suspicious Powershell commandline            cmd.exe   \n",
       "\n",
       "                                       SHA1 RemoteUrl RemoteIP  ReportId  \\\n",
       "0  b6d237154f2e528f0b503b58b025862d66b02b73                          454   \n",
       "1  8c5437cd76a89ec983e3b364e219944da3dab464                          137   \n",
       "2  99ae9c73e9bee6f9c76d6f4093a9882df06832cf                         4369   \n",
       "3  1b3b40fbc889fd4c645cc12c85d0805ac36ba254                        14968   \n",
       "4  7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27                         1190   \n",
       "5  36c5d12033b2eaf251bae61c00690ffb17fddc87                         2376   \n",
       "6  d487580502354c61808c7180d1a336beb7ad4624                         2376   \n",
       "7  36c5d12033b2eaf251bae61c00690ffb17fddc87                          915   \n",
       "8  8dca9749cd48d286950e7a9fa1088c937cbccad4                          915   \n",
       "9  8c5437cd76a89ec983e3b364e219944da3dab464                          130   \n",
       "\n",
       "                   Table  \n",
       "0             MiscEvents  \n",
       "1  ProcessCreationEvents  \n",
       "2  ProcessCreationEvents  \n",
       "3  ProcessCreationEvents  \n",
       "4             MiscEvents  \n",
       "5             MiscEvents  \n",
       "6             MiscEvents  \n",
       "7  ProcessCreationEvents  \n",
       "8  ProcessCreationEvents  \n",
       "9  ProcessCreationEvents  "
      ]
     },
     "execution_count": 43,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "query = \"AlertEvents | sample 10\"\n",
    "mdatp_prov.exec_query(query)"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.7.1"
  },
  "widgets": {
   "application/vnd.jupyter.widget-state+json": {
    "state": {},
    "version_major": 2,
    "version_minor": 0
   }
  }
 },
 "nbformat": 4,
 "nbformat_minor": 2
}
